Thursday, August 10, 2017

Rather than typing or swiping on your keyboard, sometimes it is easier to just cut, copy, and paste some text. If you want to enter some long pieces of text such as an address, password, or website link, using Android’s copy and paste feature certainly beats having to precisely type each character out. But Android’s clipboard is notoriously insecure because any app on your phone can read from it without your permission, so it’s generally recommended that you never copy any sensitive data. Today, I’m going to show you how to protect your privacy by stopping apps from reading the Android clipboard.

For context, Android’s copy and paste framework allows any application to read from or write to the device’s clipboard. Using this framework, many developers have made third-party clipboard managers available on the Play Store. While these applications, as well as a few others such as Google Translate, put the clipboard framework to good use, there’s absolutely no telling what other applications may be doing with your clipboard. Some apps that request the permission are transparent about what they do with your clipboard data, but you would be surprised by how many apps on your phone have the ability to read your clipboard! That’s exactly why so many password manager apps on Android recommend you use their own keyboard when entering passwords – they want to protect you from apps that might steal your password from your clipboard!

But no longer will you have to tip toe around what you can and can’t copy because we’ll be showing you how to control which apps can read your Android clipboard. This is not something you can do on your phone without a hidden command line option, but we will be guiding you through the process of how to do so. Once you’ve followed this tutorial, you should be able to safely copy whatever data you want without worrying that some rogue app might be logging every single thing you copy and paste.

Stop Apps from Reading the Android Clipboard

You’ll first need to download and then install the USB drivers for your phone or tablet. This may only be necessary if you are on Windows.

Then, open the Settings app on your phone and find the “About Phone” option – usually near the bottom.

Scroll down and look for “Build Number.” Tap on this value 7 times to enable Developer Mode.

Go back to the main menu in Settings and enter the new Developer Options menu.

Enable USB Debugging Mode.

Plug in your device to your PC and change the USB mode from “charge only” to “file transfer (MTP)”.

On your computer, navigate to where you extracted the ADB binary earlier in step 2.

For Windows users, open a Command Prompt in this ADB directory. The easiest method to do this is to press Shift+Right-click then in the context menu that appears choose the “open command window here” option. For Mac or Linux users, open a Terminal.

Enter the following command: adb devices. If you are on Mac or Linux, you may need to prefix the command with the entire directory to where ADB is stored. So for example, /home/user/downloads/adb devices. If so, you’ll need to remember to prefix any further commands in this tutorial in the same way.

In any case, entering the command will start the ADB daemon. If this is your first time using ADB, you will see a prompt on your device asking you to authorize a connection. Allow it.

Re-run the command from step 10 and you’ll see the serial number of your device in the output. If you do, then go on to the next step. Otherwise, re-install your drivers.

Now send the following command: adb shell

This will enter you into your device’s shell environment. Now, we need to figure out what apps are able to read the clipboard. Enter this: cmd appops query-op --user 0 READ_CLIPBOARD allow

Example: apps that can read my clipboard

As you can see, in the output you’ll see a list of packages that can read your clipboard. Some of what’s listed here may be obvious to you what app it correlates to, but if not, install App Inspector and then find the name of the package under each app name.

Once you know which app(s) you want to prevent from reading the clipboard, enter the following: cmd appops set <package> READ_CLIPBOARD ignore

If you don’t see an error message, then the command worked! Repeat the above step for any other apps you want to stop reading your clipboard.

If you want to undo what you just did, change “ignore” in step #16 to “allow”. Alternatively, you can uninstall then reinstall the app and it will reset all permissions.

If the commands in steps 14 and 16 aren’t working for you, try running them without the “cmd” in front. I’ve heard that this may be necessary for some phones running Android 6.0 Marshmallow or below.

Explanation

Any applications that declare the permission android.permission.READ_CLIPBOARD in their AndroidManifest.xml file is automatically granted this permission when it is installed, meaning they can read the Android clipboard. Although many devices have access to a permission management control system in Settings, READ_CLIPBOARD is not something users can restrict from apps unless you’re a user of certain custom ROMs such as LineageOS.

However, there’s actually a hidden way of restricting the permission apps use to read your clipboard, and it’s what we just did above. We used the hidden “appops” command line interface, which lets us restrict more permissions than is shown in Settings. The first command we did, query-ops, pulls a list of applications installed that have been granted the Android clipboard read permission. Using that list, we can then decide which apps we want to stop from reading your clipboard. If you decide to restrict the permission from every user/third-party app installed on your device, then you can even start to safely copy and paste your passwords without having to worry that another app might listen in and steal your passwords!